CVE-2023-27975 - Vulnerability Details - OpenCVE

CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ecostruxure Control Expert Ecostruxure Process Expert

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_control_expert::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_process_expert::::::::

No data.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf

History

Wed, 11 Dec 2024 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Schneider-electric Schneider-electric ecostruxure Control Expert Schneider-electric ecostruxure Process Expert
CPEs		cpe:2.3:a:schneider-electric:ecostruxure_control_expert:::::::: cpe:2.3:a:schneider-electric:ecostruxure_process_expert::::::::
Vendors & Products		Schneider-electric Schneider-electric ecostruxure Control Expert Schneider-electric ecostruxure Process Expert

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-02-14T16:55:41.495Z

Updated: 2024-08-02T12:23:30.803Z

Reserved: 2023-03-09T05:25:56.973Z

Link: CVE-2023-27975

Vulnrichment

Updated: 2024-08-02T12:23:30.803Z

NVD

Status : Analyzed

Published: 2024-02-14T17:15:08.700

Modified: 2024-12-11T19:33:27.327

Link: CVE-2023-27975

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27975", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2023-03-09T05:25:56.973Z", "datePublished": "2024-02-14T16:55:41.495Z", "dateUpdated": "2024-08-02T12:23:30.803Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EcoStruxure Control Expert", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions prior to v16.0"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Process Expert", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions prior to v2023"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nCWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized\naccess to the project file in EcoStruxure Control Expert when a local user tampers with the\nmemory of the engineering workstation.\n\n"}], "value": "\nCWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized\naccess to the project file in EcoStruxure Control Expert when a local user tampers with the\nmemory of the engineering workstation.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-02-14T16:55:41.495Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-27975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:31:05.372971Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:24:48.765Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:23:30.803Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:23:30.803Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-27975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:31:05.372971Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:12.559Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "EcoStruxure Control Expert", "versions": [{"status": "affected", "version": "Versions prior to v16.0"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "EcoStruxure Process Expert", "versions": [{"status": "affected", "version": "Versions prior to v2023"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nCWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized\naccess to the project file in EcoStruxure Control Expert when a local user tampers with the\nmemory of the engineering workstation.\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nCWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized\naccess to the project file in EcoStruxure Control Expert when a local user tampers with the\nmemory of the engineering workstation.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-02-14T16:55:41.495Z"}}}, "cveMetadata": {"cveId": "CVE-2023-27975", "state": "PUBLISHED", "dateUpdated": "2024-08-02T12:23:30.803Z", "dateReserved": "2023-03-09T05:25:56.973Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2024-02-14T16:55:41.495Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_control_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FF68269-FEB0-41F0-9127-965AA4ADCC91", "versionEndExcluding": "16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_process_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8022AED-42C4-42F5-A30A-45F157D71CA9", "versionEndExcluding": "2023", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nCWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized\naccess to the project file in EcoStruxure Control Expert when a local user tampers with the\nmemory of the engineering workstation.\n\n"}, {"lang": "es", "value": "CWE-522: Existe una vulnerabilidad de credenciales insuficientemente protegidas que podr\u00eda provocar un acceso no autorizado al archivo del proyecto en EcoStruxure Control Expert cuando un usuario local manipula la memoria de la estaci\u00f3n de trabajo de ingenier\u00eda."}], "id": "CVE-2023-27975", "lastModified": "2024-12-11T19:33:27.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "cybersecurity@se.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-14T17:15:08.700", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-01.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}